AgentsofAmerica.ORG Newsletter Registration

Thank you for joining the AgentsofAmerica.ORG mailing list. We look forward to keeping you informed.

Email Address

First Name

Last Name

By submitting this form, you are granting: Agents of America.ORG, 21 Caminito Amore, Henderson, NV. 89011, United States, http://www.agentsofamerica.org permission to email you. You may unsubscribe via the link found at the bottom of every email.

Part 1: The California Consumer Privacy Act — What Insurers Need to Know

Assembly
Bill No. 375, better known as the California Consumer Privacy Act (CCPA), is likely
the most robust and sweeping privacy law in the United States. This is not
surprising as California is notoriously at the forefront of passing privacy legislation,
even though close to 20 other states are also taking steps to pass similar
legislation.

The
CCPA, which becomes effective January 1, 2020, creates a number of consumer
rights regarding the collection, storage, selling, and processing of personal
information, as well as corresponding business obligations. Cal. Civ. Code Sections
1798.100; 1798.105; 1789.120; 1798.125; 1798.130; 1798.135. The CCPA’s definition of personal
information is very broad, and includes information that “identifies, relates
to, describes, is capable of being associated with, or could reasonably be
linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code Section 1798.140(o). Further complicating the matter
are additional definitions that are ambiguous and sometimes conflicting.

All
for-profit companies, including insurance companies, are required to comply
with the CCPA if they have one of the following:

1.
Have annual gross revenue in excess of $25 million

2.
Annually buy, receive, sell, or share the personal information of 50,000 or
more consumer households or devices

3.
Derive 50 percent or more of their annual revenue from selling consumer
personal information.

Although
the CCPA has a number of exceptions that apply to insurance companies, they are
only partial and insurers will remain subject to the CCPA if they engage in
conduct outside of the scope of these exceptions, which they likely do. Some
exceptions include: Cal. Civ. Code Section 1798.145(c) (health/medical information under
the Confidentiality of Medical Information Act and Health Insurance Portability
and Accountability Act); Cal. Civ. Code Section 1798.145(e) (personal information governed by
the Gramm-Leach-Bliley Act (GLBA) and the California Financial Information
Privacy Act); and Cal. Civ. Code Section 1798.145(f) (the Driver’s Privacy Protection
Act).

Since
being signed into law on June 28, 2018, the CCPA has been met with significant
criticism and proposed legislation seeking to amend and/or clarify its terms. Of
note to insurers is Assembly Bill 981, which proposes to:

1.Eliminate
a consumer’s right to request that an insurer delete or not sell personal
information when the insurer’s retention and/or sharing of that information is
necessary to complete an insurance transaction on the consumer’s behalf

Not
only does the CCPA stand to affect insurers from a business compliance
standpoint, but it also may affect their obligations to provide coverage for
insureds that allegedly violate the CCPA. As the CCPA creates a private right
of action in the event of unauthorized access, theft, or disclosure of
nonencrypted or nonredacted personal information as a result of a business’s
failure to maintain reasonable security, and subjects violators to fines,
penalties, and enforcement actions as a result of same, the CCPA could result
in a surge of consumer protection/rights lawsuits, and a corresponding uptick
from sued companies to its insurers demanding coverage.

Cyber
policies are intended to mitigate risks associated with the use of technology
to process consumers’ personal information, including data breaches, system
failures, and cyber extortion. However, they may not provide for coverage
against the risks associated with violations of the CCPA.

For
example, a policy may or may not provide coverage for:

1.
Statutory damages, fines and/or penalties

2.
Violating disclosure requirements

3.
Failing to delete data upon request

4.
Regulatory claims.

Other
considerations include how cyber policies interact with other insurance
policies that may respond, and whether other traditional third-party and
first-party insurance policies will respond to claims alleging CCPA violations.

Given
the sweeping nature of the CCPA, insurers are analyzing compliance requirements
and the potential damages arising out of a CCPA violation. Likewise, insurers
must evaluate the extent to which the market is requesting coverage for these
claims and resulting damages with their appetite to provide coverage.

This
is the first post in a multi-part series on what insurers need to know about
the CCPA. Subsequent posts will provide more in-depth analysis on compliance by
insurers and coverage considerations under particular insurance policies, as
well as how insurers can prepare on both fronts.

The
full text of the CCPA can be found here. Goldberg Segalla’s CCPA fact sheet
can be found here,
prepared by partner Marc S. Voses, chair of the Cybersecurity and Data Privacy
Practice Group. Please contact the authors with any questions or requests for
additional information.